Merchant sites open door to Visa fraud

Evan Schuman |
Dec. 12, 2016

Visa dismisses the issue as a hypothetical attack method — but security researchers tried it and it worked

How big is that e-commerce vulnerability? At this time of year, it’s larger than usual. That’s because e-tailers, including the online operations of physical chains, are scared to death to make their anti-fraud tactics more strict during the holidays. Although the rate of fraud doesn’t change during the hectic holiday shopping season, the shopper tolerance for jumping through anti-fraud hoops is far lower. That’s primarily because there are a lot of people who will only show up at an e-tailer’s virtual door during the holidays, often when they have a new gift recipient to deal with, such as a new brother-in-law who loves to fish.

Some of these holiday-only shoppers can be converted to regular visitors, but only if they are treated right. And when they get the slightest pushback on authentication, they have no problem abandoning the site, since they have no loyalty. As far as they are concerned, one fishing site is as good as another.

In short, adding fields or reducing the number of failures that a site will endure is the last thing retailers want to do during the holidays.

This attack is quite effective because, by definition, it can’t be thwarted by the actions of any one or two — or even 2,000 — sites. As long as there are a decent number of lenient sites, this works. The true way to combat it is to have a centralized system — at the processor level, presumably, although the card brands could also attempt it — that limits wrong guesses for a card across all sites. That way, a multi-merchant attack method wouldn’t get any more guessing attempts than any one site.

But that’s not how the system works today. Merchants have wide latitude in deciding their own security methods, which aligns with how much risk they are willing to fund. That makes centralized verification tricky.

Still, the report found, without explanation, that while these attacks worked on every Visa card attempted, regardless of issuing bank, “when the attack is applied to a Mastercard, the distributed attack is detected. This suggests that the payment networks have the capability to detect and prevent a distributed attack where the network is globally integrated.”

The paper noted that a simple CAPTCHA on a checkout page disrupted their bot. Again, though, on a multi-merchant attack, the defenses of any one site are irrelevant.

“Payment gateways can provide advanced features to their merchants, and these features should at least make it more difficult to exploit a website for the attack. Most importantly, gateways may use IP address velocity filters, which are implemented to detect repeated invalid attempts made within a certain time span from the same IP address,” the paper said, before pointing out this tactic’s futility. “But with no coordination between different gateways, these velocity filters can easily be circumvented just by switching to a website that uses a different payment gateway.”